I read in the docs (Workload Identity | Nomad | HashiCorp Developer) that the implicit workload identity policy gives all jobs access to list or read any nomad service registration. Is this true? Is there any way to limit the services which are visible to a job? This seems like a security hole.
Related topics
| Topic | Replies | Views | Activity | |
|---|---|---|---|---|
| HCSEC-2023-08 - Nomad Job Submitter Privilege Escalation Using Workload Identity | 0 | 5293 | March 13, 2023 | |
| HCSEC-2024-29 - Nomad Allocations Vulnerable To Privilege Escalation Within A Namespace Using Unredacted Workload Identity Token | 0 | 368 | December 20, 2024 | |
| Nomad workload identity - claimmappings, need help with understanding | 1 | 40 | November 7, 2024 | |
| Workload Identity with parameterized job params? | 0 | 119 | March 8, 2024 | |
| Workload identity and custom vault policy | 9 | 593 | March 7, 2024 |